Monday, November 18, 2019

How the new Talos IR Cyber Range can prepare your employees for a cyber attack

By Gerard Johansen, Charles Iszard and Luke DuCharme.

With the surge of ransomware attacks, information leaks and other cyber attacks in the headlines, most companies and organizations are aware that their employees need to be trained on how to stay safe online. But the real challenge lies in how to develop these pieces of training and tools in-house to build the necessary muscle memory to prevent and respond to an event.  Sending an analyst or two to a distant location for training depletes travel and training budgets, and when they return, there is little time to transfer this knowledge back to colleagues or managers.

Vendor-provided training focuses on the vendor’s proprietary technology and often neglects the concepts that need to be incorporated into an organization’s ability to respond.

To address these issues, Cisco Talos Incident Response (CTIR) created an interactive Cyber Range focused on Incident Response. This immersive experience is designed and delivered by incident response professionals for security professionals who need to increase their competency and muscle memory in incident response-related tasks.

Thursday, November 14, 2019

Threat Source newsletter (Nov. 14, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It was all about the bugs this week. Patch Tuesday was especially busy for us, including our usual recap of all the vulnerabilities Microsoft's security update this month (two of which we discovered). On top of that, we also disclosed a remote code execution vulnerability in some Intel graphics drivers and another in Exhibitor’s web user interface.

We also recently discovered a wave of actors using living-off-the-land binaries to keep their malware from being detected. We run through how to detect these so-called “LoLBins,” and walk through some campaigns where we’ve seen them being used in the wild.

And, as always, we have our latest Threat Roundup with runs through the top threats we’ve seen (and blocked) over the past week.

Custom dropper hide and seek

Executive summary

Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users' passwords, track their habits online and hijack personal information.

Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.

The injection techniques we're seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we'll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user's online privacy.

Wednesday, November 13, 2019

Hunting for LoLBins


By Vanja Svajcer.

Introduction

Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins". LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

In this post, we will take a look at the use of LOLBins through the lense of Cisco's product telemetry. We'll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

You'll also find an overview of a few recent campaigns we've seen using LoLBins, along with recommendations for how to detect malicious LoLBins' activities.

Vulnerability Spotlight: Command injection bug in Exhibitor UI


Logan Sanderson of Cisco ASIG discovered this vulnerability. Blog by Jon Munshaw.

Exhibitor Web UI contains an exploitable command injection vulnerability in its Config editor. Exhibitor is a ZooKeeper supervisory process. Exhibitor's Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper.

Per Cisco's vulnerability disclosure policy, we are publishing the details of this vulnerability without a patch from Exhibitor after a set deadline.

Vulnerability Spotlight: Denial-of-service vulnerability in Intel IGC64 graphics driver


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Intel’s IGC64.dll graphics driver contains a denial-of-service vulnerability. An attacker could exploit this bug by supplying a malformed pixel shader if the graphics driver is operating inside a VMware guest operating system. This type of attack can be triggered from VMware guest usermode to cause a denial-of-service attack due to an out-of-bounds read in the driver.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Intel to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, November 12, 2019

Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."

This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Vulnerability Spotlight: Remote code execution vulnerability in Microsoft Media Foundation


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a remote code execution vulnerability that exists due to a use-after-free condition. This specific bug lies in Media Foundation's MPEG4 DLL. An attacker could provide a user with a specially crafted QuickTime file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates here, and see the Snort rules that provide coverage here.
Microsoft released, read Talos’ full blog

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Remote code execution vulnerability in Microsoft Excel


Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a remote code execution vulnerability in Microsoft Excel. Microsoft disclosed this bug as part of their monthly security update Tuesday. This vulnerability exists in the component responsible for handling the “MicrosoftÆ Office HTML and XML” format introduced in Microsoft Office 2000. A specially crafted XLS file could lead to a user-after-free vulnerability and remote code execution. Microsoft released a patch for this vulnerability in this month's Patch Tuesday security update, which you can read more about here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

New partnership brings together Talos’ visibility with IR’s unmatched response capabilities


By Jon Munshaw.

The threat landscape has evolved into a complex, challenging environment for organizations everywhere. A talent shortage, combined with an increase in incidents, has led to a generally weak security posture among most organizations. Defenders’ backs are up against the wall. Organizations around the world now realize that sitting back and waiting for an alert or receiving information from law enforcement about an incident in their environment brings stiff fines, increased scrutiny, lost intellectual property, data privacy concerns and lost business.

Cisco Talos announced last week that it is bringing Cisco Incident Response into the Talos family. With this new partnership, Cisco Talos Incident Response hopes to use Talos’ actionable intelligence and unprecedented visibility to assist defenders to answer threats faster.

Friday, November 8, 2019

Threat Roundup for November 1 to November 8

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 1 and Nov. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 7, 2019

Threat Source newsletter (Nov. 7, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

The only news we’re going to cover this week is the biggest news we’ve had in a while. Tuesday, we announced that Cisco Incident Response was becoming part of the Talos family. We’ve been working together for years, but now we’ll be closer than ever, so Incident Response can benefit from Talos’ intelligence, while their boots-on-the-ground experience will only add to Talos’ portfolio.

Check out our announcement blog post for more information. The Talos Incident Response at-a-glance also provides an overview of the services IR provides. And the new IR page on TalosIntelligence.com gives you an easy way to contact IR, should you need their services.

We also have a special edition of the Beers with Talos podcast, where Amy Henderson of Talos’ Threat Interdiction team joins us to talk about the benefits of this new relationship.

Wednesday, November 6, 2019

Vulnerability Spotlight: Code execution vulnerabilities in LEADTOOLS


Marcin Towalski and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building
applications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the execution of code remotely.

In accordance with our coordinated disclosure policy, Cisco Talos worked with LEAD Technologies to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, November 5, 2019

Talos, Cisco Incident Response team up to offer more protection than ever












By Sean Mason

Over the years, I've had the honor and privilege to work within some of the greatest security teams on the planet, working alongside such passionate and talented people at Cisco makes delivering this announcement perhaps the greatest honor yet.

The best security organizations on the planet excel at preventing, defending, and responding, which boils down to one key aspect – an intelligence-driven approach to security.

Several years ago, Cisco Talos intelligence started to support Cisco’s Incident Response Services group, with IR feeding highly contextualized data back into the Talos Detection and Response efforts. This was key to building a market-leading, albeit standalone, incident response service offering at Cisco.

Today, we are excited to announce the next step in the evolving relationship between intelligence, research, and IR – Cisco Talos Incident Response.

Beers with Talos Ep. #65: Please welcome to the show… Talos Incident Response

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 65 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Oct. 25, 2019 

Today is a bit different. We normally keep things pretty neutral on this show (not really), but today is all about the new service Talos is launching: Say hello to Talos Incident Response. Amy Henderson from the Talos Intel and Interdiction group joins us as we discuss the full circle of threat intelligence — from global visibility to hyper-local context, and how IR allows those to feed into each other. Listen to the announcement as we discuss what IR is, what it means in general, and what Talos brings to that equation. We hope you are half as excited as we are because that is still pretty dang excited. Lastly, Craig isn’t with us today, but you get to decide his fate for being dishonest with you, dear listeners. We will give you justice.

How adversaries use politics for compromise


By Nick Biasini and Edmund Brumaghin.


Executive Summary


With the U.S. presidential primaries just around the corner, even malware authors can't help but get behind the frenzy. Cisco Talos recently discovered several malware distribution campaigns where the adversaries were utilizing the names and likenesses of several prominent political figures, chief among them U.S. President Donald Trump. We discovered a series of ransomware, screenlockers, remote access trojans (RATs) and other malicious applications that play off of Trump's likeness, as well as former presidential candidate Hillary Clinton.

Some of the applications are designed to coerce victims into paying ransom demands, while others could be used to gain backdoor access to systems and provide attackers the ability to operate within organizational networks. In many cases, it is clear that the authors of these applications were motivated by their political beliefs, which were reflected in the software that they created. In this post, we'll analyze several of these examples and provide a look at the types of malware they deployed.

There is a wide array of threats that adversaries are willing to deliver through any means necessary, including leveraging political themes and overtones. This is one of the reasons why organizations need to be diligent in protecting their environments through various technologies, applying best practices, and taking a thorough defense-in-depth approach when implementing various security controls. Additionally, ensure you have an employee information security education program that exposes users to the variety of lures that can be leveraged by adversaries to deliver these threats.

Monday, November 4, 2019

C2 With It All: From Ransomware To Carding


By Warren Mercer, Paul Rascagneres and Vitor Ventura.

Summary


Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims' infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.

We found a great variety of malicious files on this server, ranging from ransomware like the DoppelPaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)

The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.

The latest on BlueKeep and DejaBlue vulnerabilities — Using Firepower to defend against encrypted DejaBlue

Update (11/04/2019):

There have been several public reports of active exploitation of CVE-2019-0708, commonly referred to as “BlueKeep.” Preliminary reports indicate that the vulnerability is being exploited by adversaries who are leveraging access to compromised systems to install cryptocurrency mining malware. At this time, there has been no evidence to suggest that the exploitation is due to the emergence of a new worm, and it is likely being done as part of a mass exploitation campaign, similar to what we have seen in previous instances of mass exploitation campaigns. Existing coverage for BlueKeep continues to be an effective way to mitigate possible exploitation attempts. For additional information related to protecting against attacks leveraging BlueKeep, please refer to the blog posts here.

Note: This post was originally published on 09/03/2019.

This blog was authored by Brandon Stultz, Holger Unterbrink and Edmund Brumaghin.

Executive summary


Over the past few months, Microsoft has released several security updates for critical Remote Desktop Protocol (RDP)-related security bugs. These bugs are significant for IT infrastructure because they are classified as "wormable," meaning future malware that exploits them could spread from system to system without requiring explicit user interaction. These vulnerabilities could be exploited by an attacker sending a specially crafted request to the target system's Remote Desktop Service via RDP. We have seen how destructive these kinds of attacks can be, most notably WannaCry. We highly recommend organizations immediately apply Microsoft's patches. Cisco Talos released detection coverage for CVE-2019-0708 and also enhanced guidance to help organizations facilitate inspection of RDP sessions here. Microsoft published additional security updates last month to mitigate two additional remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, affecting several versions of Microsoft Windows. These bugs are referred to as "DejaBlue" due to their similarities to BlueKeep.

Once again, Cisco Talos started working immediately to reverse-engineer the RCE vulnerabilities. Protections for both CVE-2019-1181 and CVE-2019-1182 now exist to keep your systems secure. SID 51369 for SNORT® correctly blocks exploitation of CVE-2019-1181 and CVE-2019-1182. In this post, we'll run through the details of how to protect against this "DejaBlue" exploit and walk through the steps to protect your environment.

Vulnerability Spotlight: Two remote code execution vulnerabilities in Investintech Able2Extract


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two remote code execution vulnerabilities in Investintech’s Able2Extract Professional. This software is a cross-platform PDF tool for Windows, Mac and Linux that converts PDFs and allows users to create and edit them. Other features include PDF signing, redactions and annotations. An attacker could exploit these vulnerabilities to execute arbitrary code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Investintech to ensure that these issues are resolved and that updates are available for affected customers on various operating systems.

Friday, November 1, 2019

Threat Roundup for October 25 to November 1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 25 and Nov. 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.